See, Robin, my thought is this: You've already shown that it's possible for the RA function to bypass all controls. At this point, because they're not subject to the same audits that Comodo is, and because the last WebTrust audit that anyone here can find any record of is in 2007, I find it difficult to believe that you have the "annual external audit".
The internal controls are supposed to prevent this kind of mis-issuance. Because they didn't, they throw all the audits that you have provided into doubt. Because of this, there is no trust that I have in Comodo's operation. Further, this is a problematic practice (delegation of Registration Authority function, as opposed to simple "reseller" role) that has been shown to cast doubt on the entire domain. The Registration Authority function is terribly security-sensitive. If the whistle had not been blown by someone who knew where to post to kick the beehive, would this have been detected? Since the RAs aren't audited (which is, by the way, a TERRIBLY dangerous practice, as you're seeing), and your statements about "a representative sample of certificate requests are reviewed" suggesting that they're not even properly audited by your internal controls... It is not necessarily a requirement for reseller information to be disclosed. However, we're trying to evaluate your company's continued trustworthiness, and (at least at the moment) I can't find anything there to trust. I'm willing to allow your eleven roots to stay in the root store with trust bits removed until you provide documentation and an update to your agreement with your RAs to require on-site audits at least annually (even if done by your internal auditors) -- the only alternative at this point is to completely remove your roots from the program. I would like to know how you're going about ensuring that none of your other RAs are subject to the same 'glitch' in their signup processes. I'd like to hear that you're being proactive about this issue. Unfortunately, I'm not hearing such. -Kyle H On Fri, Dec 26, 2008 at 1:10 PM, <ro...@comodo.com> wrote: > On Dec 24, 2:13 am, "Paul C. Bryan" <em...@pbryan.net> wrote: >> On Dec 23, 5:56 pm, ro...@comodo.com wrote: >> Some questions: >> >> 1. Does Comodo take full responsibility for the actions of its >> resellers? If so, how should the repercussions of such failures be to >> Comodo? > Comodo accepts responsibility for the work of its RAs in the > validation that they do leading to the issuance of certificates under > our root certificates. > >> >> 2. Are resellers subject to the same audits that Comodo presumably had >> to undergo to get its root certs added to Mozilla? Who performs, and >> who verifies such audits? How often are they performed? > No, the RAs are not subject to the same audits as Comodo. Comodo > undergoes an annual external audit to maintain our Webtrust > certification for CAs. > http://www.cica.ca/download.cfm?ci_id=45239&la_id=1&re_id=0 > https://cert.webtrust.org/ViewSeal?id=804 > >> >> 3. Are you willing to openly, continually disclose your list of >> resellers, the frequency of audits, audit methodology, and actual >> audit reports so that third parties can evaluate whether Comodo is >> trustworthy as a CA? > That is a question combined with an assertion. > To the question: on a unilateral basis, no, Comodo wouldn't reveal > that level of detail of our internal operation. If all CAs were > required to provide the information, either to retain Webtrust > certification or to gain or retain access to the root program of a > major browser or other platform, then we would reconsider. > To the assertion that this is a pre-requisite for a CA to be > trustworthy: I am not aware that it is Mozilla's policy to require > this information to be disclosed. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
